Coming to a Windows Server 2000 Computer Near You: 'Clippy's Revenge'

By Jabulani Leffall

09/13/2007

"It looks like you're using me as an attack vector for hacking into a business network, would you like some help?"

That phrasing, if not the exact wording, should be instantly recognizable to anyone who's ever use the reviled -- and now defunct -- Microsoft Office help agent icon known as "Clippy." And now Clippy, whom everyone assumed with great delight was dead, could be revived as a destructive force, IT analysts and researchers learned this week.

Security experts at Symantec, VeriSign and other vendors have discovered that a "proof of concept" code exists to exploit a vulnerability for which Redmond released a "Critical" patch (Bulletin MS07-051) on Tuesday. The exploit code comes less than two days after Redmond's announcement that hackers could piggyback on "Clippy" using a specially crafted URL to penetrate a workstation hard drive or, even worse, a business network.

In IT security terms, proof of concept simply means that someone has developed new code to test the hypothesized weakness and how it can be used to hack into a system -- in this case, Windows 2000.

It's not clear at this time whether there is any malicious intent connected to the new exploit code's existence. Symantec's DeepSight threat network first alerted customers that JavaScript exploit code had been posted to the Web from somewhere inside Brazil.

"There are a number of enterprises that still use Windows 2000 and this exploit is typical of the underground, a very common way to get into the system," explains Tom Cross, a researcher with IBM Internet Security Systems Inc.'s X-Force. "Things like the Clippy exploit are used to install malware almost all the time."

Current users and admins running Windows 2000 and related applications should install Microsoft's critical patch quickly, as well as leveraging whatever intrusion prevention system technology is at their disposal, adds Cross.

IT security managers will have to decide whether or not to disable ActiveX control, as VeriSign suggests, or simply restrict access to nonpertinent Web sites while patches are loading on to the system.

Neil MacDonald, vice president of Gartner Research and a Gartner Fellow of Information Security, said there are no penalties for being too cautious. He added that it's "fortunate that the Clippy exploit code doesn't represent a zero day attack," meaning the code didn't spring up before Microsoft released the patch.

"What you tend to look for with the 'proof of concept' versus something that is in the wild, is how the exploit code progresses," MacDonald said. "In this instance you watch out for code variants, monitor how it spreads and how the code evolves."

Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies, called the exploit "Clippy's Revenge." He said the scary thing is that "users and administrators don't even have to see the Clippy icon to get their system hacked. Just be vigilant around your enterprise and take all of the Critical patches seriously."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.